Crypto Clash: Beijing Blames US for LuBian's 127,000 BTC Bitcoin Exploit
China accuses Washington of 'draining' 127,000 BTC from LuBian in 2020. Researchers link the exploit to a flaw in key generation.
The debate over the attribution of LuBian's massive Bitcoin exploit of 2020 has intensified, with China's National Computer Virus Emergency Response Center (CVERC) publicly accusing the US of being the author.
This narrative clashes with the results of Western forensic research, which has identified the cause of the event as a flaw in random number generation without naming any state actor.
The incident, well documented by open sources such as Arkham, saw some 127,000 BTC moved from wallets associated with the LuBian mining pool between 28 and 29 December 2020.
The team of MilkSad research and the CVE-2023-39910 determined that the wallets were created with software that used only 32 bits of entropy for the MT19937 seed, exposing batches of P2SH-P2WPKH addresses to brute force attacks.
Forense and Final Custody
The funds, after years of dormancy, are now under the control of the US government. The Department of Justice (DOJ) is pursuing the forfeiture of some 127,271 BTC, tying them to alleged fraud and money laundering linked to Chen Zhi and the Prince Group.
Elliptic and on-chain sleuths such as ZachXBT have confirmed that the addresses cited in the DOJ's complaint overlap with LuBian's previously identified cluster of weak keys.
However, the technical teams that first identified the flaw did not claim knowledge of the perpetrator of the 2020 exploit, referring to the entity as a "hacker" or an "unknown actor".
China's Attribution Jump
The CVERC, amplified by the CCP-owned Global Times, justifies the attribution to the US on two circumstantial inferences: the four-year dormancy period of the funds (deemed abnormal for common criminality) and the subsequent final custody of the coins by the US government. CVERC's technical report is otherwise in line with independent research.
There are at least three plausible readings of the facts:
An unknown actor exploited the flaw in 2020, and US authorities subsequently obtained the keys through investigative seizures.
The apparent "hack" was actually an internal opaque movement within the LuBian/Prince Group network.
The US state actor executed the exploit in 2020 and later converted it into a criminal seizure, as CVERC alleges.
While the first two readings are in line with the evidentiary posture of the DOJ and forensic firms, the third is a political allegation unsupported by new independent technical evidence in the public domain.
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.
North Korean hackers intensify crypto fraud: GhostCall and GhostHire campaigns use AI and the impersonation of Web3 executives to distribute malware, an evolution of the Lazarus Group.
According to Cisco Talos and Google, the North Korean groups Famous Chollima and UNC5342 are employing new strains of decentralised malware (such as EtherHiding and the BeaverTail/OtterCookie pair)
The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.
The debate over the attribution of LuBian's massive Bitcoin exploit of 2020 has intensified, with China's National Computer Virus Emergency Response Center (CVERC) publicly accusing the US of being the author.
This narrative clashes with the results of Western forensic research, which has identified the cause of the event as a flaw in random number generation without naming any state actor.
The incident, well documented by open sources such as Arkham, saw some 127,000 BTC moved from wallets associated with the LuBian mining pool between 28 and 29 December 2020.
The team of MilkSad research and the CVE-2023-39910 determined that the wallets were created with software that used only 32 bits of entropy for the MT19937 seed, exposing batches of P2SH-P2WPKH addresses to brute force attacks.
Forense and Final Custody
The funds, after years of dormancy, are now under the control of the US government. The Department of Justice (DOJ) is pursuing the forfeiture of some 127,271 BTC, tying them to alleged fraud and money laundering linked to Chen Zhi and the Prince Group.
Elliptic and on-chain sleuths such as ZachXBT have confirmed that the addresses cited in the DOJ's complaint overlap with LuBian's previously identified cluster of weak keys.
However, the technical teams that first identified the flaw did not claim knowledge of the perpetrator of the 2020 exploit, referring to the entity as a "hacker" or an "unknown actor".
China's Attribution Jump
The CVERC, amplified by the CCP-owned Global Times, justifies the attribution to the US on two circumstantial inferences: the four-year dormancy period of the funds (deemed abnormal for common criminality) and the subsequent final custody of the coins by the US government. CVERC's technical report is otherwise in line with independent research.
There are at least three plausible readings of the facts:
While the first two readings are in line with the evidentiary posture of the DOJ and forensic firms, the third is a political allegation unsupported by new independent technical evidence in the public domain.
Read Next
New Eleven Drainer attack: threat to crypto wallets
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.
Evolved North Korean Hackers: New Danger Level for the Crypto Sector
North Korean hackers intensify crypto fraud: GhostCall and GhostHire campaigns use AI and the impersonation of Web3 executives to distribute malware, an evolution of the Lazarus Group.
North Korea: The Ultimate Cyber-Attack? Evasive Malware and Blockchain in the Crosshairs.
According to Cisco Talos and Google, the North Korean groups Famous Chollima and UNC5342 are employing new strains of decentralised malware (such as EtherHiding and the BeaverTail/OtterCookie pair)
Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M
The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.